TrustSource Upgrade to v2.5.59




We are happy to announce the latest upgrade to v2.5.59. As usual we added a few features, improved and fixed a few things. For detailed information see our Changelog.

Free Vulnerability Lake Search - Better identify potentially vulnerable Components and other Tools

TrustSource Vulnerability Lake Search

Both software developers and security researchers are familiar with the challenge of assigning known vulnerabilities to open source components. Although the CPE (Common Platform Enumeration) codes provide a standardised scheme for associating vulnerabilities, the nomenclature was originally developed for vendor software and only fits poorly in the context of open source components, which often lack a clear “organisation”.

This leads to problems in finding and correctly assigning them. Sometimes the project name wins, e.g. “kubernetes:kubernetes“, other times it is the organising foundation, e.g. “apache:http“. Sometimes projects pass through different organisations over time, like the widely used Spring framework. Then information can be found under “pivotal_software:spring_framework” and from 2019 under “vmware:spring_framework“, which will cause a lot of irritation for years to come due to the concurrency of versions.
And, to top it off, there are even challenges with the project names themselves: “npmjs” or rather “npm_js” or “npmjs:npm”?

TrustSource Vulnerability Lake Search turns the tables: it provides search options to search in the existing CPEs and thus ensures to find the right keys to be considered.

With the help of TrustSource Vulnerability Alert I will catch all Known Vulnerabilities even while asleep!!


TrustSource Vulnerability Alert

With the help of the TrustSource Vulnerability Alert, you can always stay up to date. The identifiers found with the search described above can be subscribed to. Registered users – registration is free and easy, e.g. via a GitHub account – can add selected terms to a list. These lists are checked every few hours against updates from managed sources such as the NVD. If updates or new entries are found, the subscriber receives an email with a link to the new information.

TrustSource customers get this functionality automatically applied to all the bills of materials (SBOMs) in their solution(s). TrustSource-Scanners

determine the SBOMs while your application is being built and therefore know all the dependencies, including the transitive ones. In addition, you can also add infrastructure components to the project in TrustSource itself, and thus identify the vulnerable libraries that do not occur in your own source code.

Vulnerability alerts can be communicated either by email to the relevant project participants or to the system’s own inbox.   The latter is especially necessary to avoid failures due to absences or other filters of asynchronous communication.

To enable easy integration into surrounding systems, all these functions are also available via API. However, the use of the API is subject to a fee and is not part of the free plans.

In order to enable a quick classification of the criticality, TrustSource always shows the information on the attack vector as well as the criticality in CVSS values (Common Vulnerability Scoring System, find details on CVSS here) in addition to the description of the CVE or its assignment to the OS components.

TrustSource Life Cycle Alert

These capabilities result in yet another service that TrustSource makes available to its customers: The Life-Cycle Alert.

The obligation of a software manufacturer to inform its customers about known vulnerabilities does not end with the delivery of the software, it usually begins only then. This is even more true for equipment manufacturers. The less possibility there is to motivate the customer for timely updates, the more complex the situation becomes.

If, in the course of time _after_ the release of the software, known vulnerabilities emerge in the components used, it is up to the manufacturer to inform its customers in the sense of proper information provision. This obligation is already applied in the area of medical devices (MDR) and will certainly extend to other areas.

TrustSource makes it possible to record SBOMs that have been released and thus subject them to continuous monitoring. Every patch or release status that has been generated on a customer product can be tracked and alerted accordingly.

It sounds promising but you are not sure whether your specific demand will be met?

Or would you prefer to get hands-on experience in a free trial?

New Features in TrustSource v2.5

We’ve put a lot in the feature box again!

Rejoice with us and try it out right away!

New Features:

New role Portfolio Manager and Portfolio Overview introduced:
In response to customer requests, a Portfolio Manager role has been introduced, which can always keep an eye on the totality of issues. For this purpose, an explicit portfolio overview was built, which allows to identify critical components from the portfolio overview within only three clicks.
New search options for Vulnerability Lake:
It is now also possible to search for CPEs or component identifiers and subscribe to them if suitable. This makes it easy to track different identifiers or sources.
Ability to display vulnerability descriptions directly (Get Details):
Allows the description of a vulnerability to be displayed directly so that the screen does not have to be changed. This allows decisions to be made directly in context.
Vulnerabilities for infrastructure components:
With the help of the vulnerability lake, it is now also possible to better resolve the known vulnerabilities for the infrastructure components and display them in detail in the application.
Automatic fixing of legal todos with the help of the notice file
It is now possible to generate the notice file as a pre-version without approval. TrustSource now automatically sets all obligations that are slain with the notice file to “completed” and refers to the notice file. This saves a lot of maintenance work.
Interoperability: Support for all CycloneDX SBOMs
We have included CycloneDX. Both in the core for manual uploads of modules or 3rd party software, and via API. This means that in addition to SPDX, CycloneDX is now also fully possible via both channels, which enables integration with almost all scanners. In the course of this, an import API for SPDX (v2.2+) was also created.
Dependencies are displayed using a SunBurst diagram for greater clarity.
CMake integration: With the help of this new scanner, C-Make built projects can be easily scanned and transferred to the platform for further analysis.

Attack vector representation has been equalised and made more readable.
Since the addition of additional sources, the deep link to the NVD was impractical, so we have provided an internal representation. This will also change slightly in the coming weeks.
Loading times of larger scans optimised and shortened
Vulnerability Alert mails now contain appropriate deep links so that the new information can be jumped to directly.
Internal optimisations in the area of Vulnerability Assignments.
Changes in the framework no longer only affect the analysis and the results, the notice file is now also adapted.
New intro for new users.
Improvements for the administration of components (Component Manager)
ts-node-client updated to work with newer node versions.
Tagging capabilities improved, especially for components, projects and modules, to simplify filtering.
Improved sorting capabilities in CompDB
Added chronicle of legal settings. This means that older states can also be retrieved.

Free Open Source Compliance Training

For years, the same questions have arisen again and again in the context of open source:

  • Am I allowed to use open source in applications used for business purposes?
  • What are the consequences of using open source?
  • Is the GPL a “toxic” license?
  • What do the American licenses mean for us in Europe?

The irritation hits developers in particular, who are confronted with the use or deployment of open source in the front line. Now, computer scientists are rarely also lawyers, and even if law and computer science are similar in many aspects, it is not trivial to interpret a license without prior legal knowledge.
To help overcome this gap, we have provided a basic Open Source Compliance – Training. The training introduces the topic, briefly describes the background and gives insight into the essential aspects of licenses. More than 4 hours of video material, presentations and quizzes have been incorporated into the freely available, self-paced online training course.

In the course the participant gets an overview of:

  • The motivation and background of open source compliance,
  • The challenges that make open source compliance more than just making a list,
  • Solution concepts that help to anchor standard compliant open source compliance in an organization.

The presentations, held in English, are divided into small, short bites, so that they can be easily consumed in between online meetings or in short doses at the beginning of each day.
Direct access can be found here on the Trainings page.

TrustSource v2.0 to come!

TrustSource 2.0 comes with new look & feel

We are proud to announce availability of the upcoming v2.0 of TrustSource by May 7th.

Since the list of features has become a bit crowded over the last few versions, we have arranged the navigation area into groups. These are organized according to the phases of value creation, which helps to find your way more quickly: Scanners in the Inbound group, Vulnerability Information and Project Management Tasks goes into Internal, or Notice File Generation you will find in Outbound.

More focus in work

Furthermore, we help our customers to focus. Especially in larger organizations with extensive project portfolios, it becomes important to move quickly and focus. With the help of the “Pin to Dashboard” function, it is now possible to pin projects directly to the dashboard, enabling direct link with just a few clicks. Also included in this segment is the ability to tag projects and modules. Table views can be filtered with the help of tags, which quickly provides more visibility. In later expansion stages, the tags will also be usable in the reports and other overviews.

Vulnerability Lake

To simplify your daily work, we have included a complete replica of the NVD data. Updated every two hours you can now browse through the CVEs, research by organisation, product and versions (CPEs) from within TrustSource or through our API. It is our intention to grow the pool of data and make this valuable knowledge available at your fingertips.

New import API for CycloneDX SBOMs

We have also taken into account the developments on the market and included the CycloneDX standard, which is establishing itself more and more quickly. It is now possible to import CycloneDX documents. This means that all CycloneDX-compatible scanners can also be used to work with TrustSource. The documents only have to be transferred to the new API /import/scan/cyclonedx.


In addition to that, we also will introduce a row of improvements

  • It will now possible to jump back and forth between the scan – the raw data introduced to TrustSource by any scanner or the CycloneDX SBOM upload – and the analysed dependency view. This will help to understand the dependency hierarchy.
  • We have improved the speed of loading the analysis selector. Daily scanned but never changed projects had a tendency to produce a heavy latency.
  • DeepLinks from DeepScan results view into the repository are now also supported for specific branches


The following fixes will be provided:

  • Deletion of license alias in a non sequential order will not produce empty aliases anymore
  • Preventing an internal error when module or component names were extraordinarily long during Scans
  • Date representation in Safari sometimes did not work correctly
  • Some adjustments to component crawlers and the storage of results will reduce the amount of buggy data

Get in touch! We are happy to hear about your concerns!

How to convince your Management of the importance of Open Source Compliance

How to convince Management

Often when talking to our customers from the corporate areas, we recognize a reasonable acceptance for the topic in the developers levels. There is an awareness for the “copyright”-aspects of software. On the one hand this is due to the many years of beating the drum for that topic, that most engaged developers experienced meanwhile. On the other hand it is due to many of them publishing software by themselves.

Unfortunately these experiences are moving in the background in the same way as financial aspects appear in the foreground. The more people focus on financial and commercial aspects of a product or service, the less room for respect of creative freedom seems to exist. This does not mean, that managers tend to underestimate the quality of work they receive in open source products nor shall it put the league of managers in the corner of ignorant work bots. But whenever you are facing deadlines for delivery and/or have to align budget constrains with a competitive feature list, open source compliance remains the 2nd priority to look for.

Not looking for open source compliance might be a bad mistake…

This might be a bad mistake! Open Source Compliance is not an option, it is a must! The key aspect of open source compliance is the generation of a “Software Bill of Materials”. The closer your solution is to a piece of hardware, the more it will be relevant as it is most likely that the software will be distributed with this piece of hardware. Missing out on compliance – even by accident – might be seen a as criminal act. Not addressing compliance aspects in a commercial organisation is a sort of fraud.

…especially due to the fact, that it can be heavily automated!

Thus management is well suited taking care of compliance. Especially due to the fact, that it meanwhile can be heavily automated. Integrate the generation of SBOMs with your CI/CD chain, derive the context of your solution and resolve the resulting requirements can be fully automated at almost no costs by using free and open source tooling. Learn about available options in the article on the “Open Source Compliance Tooling Capability Model”.

However, if you will have to convince your management to care for more compliance or want to learn on how to setup and establish a compliance program, download the slides attached to this post or reach out to one of our consultants.


How TrustSource protects against dependency confusion attacks

What has happened?

Security researchers have managed to gain access to various high-security networks with the help of a dependency confusion attack. With this attack, they managed to send protected information and data from within the affected networks to the outside. However, depending on the attack scenario, other activities would also be imaginable. Once behind the defense lines, the damage scenario can be freely chosen.

How was the attack executed?

The security researchers got the idea when they found names of private packages in the published open source tools of the companies (Apple, Adobe, etc.)

Companies often use open source and supplement certain functionalities or graphical controls with their own libraries. These, in turn, are developed by only one team and made available as separate packages or libraries to other development teams. This is efficient and convenient because the broad set of development teams does not have to worry about it, yet the look-and-feel remains consistent across different applications or services.

If the companies now play software back to the community and the references to such “private” packages are not removed from the source code, the release will carry the name of these packages outside. This in itself is not that dangerous. It only becomes interesting if the information is exploited for a dependency attack (see next page).

How could you protect yourself from this to happen?

  • Component naming:
    If the internal component names follow a naming scheme, such as ORG.COPMANY.UNIT.UITOOLS, it becomes much more difficult for third parties to create corresponding names in the package managers without causing a stir. ORG.COPMANY.UNIT.UITOOLS is more noticeable than the 100th version of UITOOLS.
  • Configuration of packet manager proxies:
    To be successful in the attack, the local distribution mechanisms must be outwitted. It should be ensured that no updates are pulled from outside for certain package types, e.g. with the help of the name identifier or a simple blacklist.
  • Version control:
    With the help of a version history, it quickly becomes possible to determine which versions are in use. A jump from 1.2.3 to 69.1.0 can be discovered quickly or is noticeable.

What is a dependency confusion?

Modern package systems use package managers, especially to manage the ever-growing number of open source components. Each build specification therefore contains a list of the components to be included. In Java this is the POM.XML file, in Node.JS (JavaScript) it is the PACKAGES.JSON.

In this file the components and the minimum requirements to the components, the version numbers are indicated. Since many components change frequently, the requirements often contain not only the exact version number, e.g. 1.2.3, but a note like ^1.2.3, which means something like: “Give me at least 1.2.3 or newer.” . If the maintainer of the component updates to e.g. 1.2.4 (new patch) or 1.3.0 (new feature), the own solution would be able to profit from the innovations with the help of the formulation during the next build.

If a malicious actor now posts a newer version in a package manager, for example a 12.1.0, he can be relatively sure that this version would be provided by the package management for the context described above.
If the project now builds a new version, the malicious code would be pulled from outside, integrated into a QA system, and deployed there. Depending on the damage scenario chosen, a lot can be done with this.

You want to manage vulnerability protection along the complete lifecycle of your product?

TrustSource can help to protect you!

If you use TrustSource, it will know the current versions of your modules and solutions, as well as publicly available components. Sudden version jumps of publicly available components are detected by our systems and reported to our support team for review. Critical developments are reported back to the projects.

If you are already using TrustSource, you are probably familiar with the concept of “linked modules”, the integration of releases of your own software. If versions appear here that were previously unknown, this also leads to a report to the respective project manager. In this way, you can be sure to notice corresponding developments quickly.

TrustSource @ FOSDEM 2021

TrustSource @ FOSDEM 2021

we are looking forward to the presentations of @Jan Thielscher & @Grigory Markin at FOSDEM 2021.

Open Source Compliance Tooling – Capability Reference Architecture

Jan will present the Open Source Tooling Workgroup‘s reference model in the OpenChain Dev-Room , which outlines domain-specific capabilities and their interrelationships. The model has been created over the last two years by members of the workgroup and is intended to provide an overview of the required tasks that will be needed in the context of open source compliance. It is also useful for mapping the different tools or being clear about what functionality they cover. See the complete video here.

During the talk Jan will also try to motivate tool vendors to map their tools against the model.

Capabilities in comparison

In a second talk, Grigory Markin will present the TrustSource DeepScan open source tool and the free online service DeepScan of the same name in the Dev-Room Software Composition. This solution has been developed to support open source users in identifying the effective licenses and attribution information (license & copyright) :

TrustSource DeepScan – How to effectively excavate effective licenses

In this 15 minute talk, Grigory and Jan will briefly outline the challenge of “effective” licenses and discuss the various technical possibilities and challenges of automated license analysis using similarity analysis, among other things. Finally, the tool, the current state of work and the next steps will be briefly presented.

Get in touch! We are happy to hear about your concerns!

ISO 5230 - Standard on open source compliance

December 14th, 2020,  the International Standardisation Organization (ISO) publicly released ISO 5230, the first standard on open source compliance (OSC). The standard is a result of several years work of a working group under the umbrella of the linux foundation. Since several years many cope source compliance experts from leading technology organisation worldwide sat together and shaped a simple, but efficient approach on how to tackle the open source compliance challenge.

The following video – a recording of the 10 min introduction to the OpenChain project Jan held Feb 6th @ this years FOSDEM – explains the core idea of the OpenChain project and introduces the core  specification requirements  (outline of the ISO 5230).

You think that ISO 5230 is relevant for your company? You want to learn more?

Do not hesitate to reach out for a quick chat!

OpenChain helps to build trust along the value chain by requiring certified participants to comply with specified requirements on how to arrange their open source usage and management. Since we are involved with OpenChain for several years now, we took the ideas and embedded them into TrustSource. Thus TrustSource is best suited to support the introduction as well as the ongoing compliance with ISO 5230, respectively the OpenChain requirements.

Interested to get a better understanding of how TrustSource may support your OpenChain/ISO5230 certification?

Vulnerability Lake in beta

TrustSource adds Vulnerability Lake

Due to many requests we decided to open up our internal vulnerability DB for research by developers. Starting from version 2.0 TrustSource will provide its internal “known vulnerability” database for search. There will be several searches available:

  1. TrustSource Vulnerability-Lake public web UI
  2. TrustSource Vulnerability-Lake web UI
  3. TrustSource Vulnerability-Lake API

The public web UI as well as the TrustSource integrated web ui provide a simple and an expert search mode. You …


TrustSource Vulnerability Lake allows simple overview of vulnerability status

Get in touch! We are happy to hear about your concerns!